Wednesday, November 12, 2014

Last week a group of Google employees led by Elie Bursztein joined UCSD researchers Andreas Pitsillidis and Stefan Savage in presenting the findings of a study on phishing to the ACM Internet Measurement Conference in Vancouver, British Columbia. Their paper, Handcrafted Fraud and Extortion: Manual Account Hijacking in the Wild (12 page PDF) was picked up broadly in the press, and as usual, wildly misinterpreted.

At least 110 articles referring to the study were found in a simple Google News search with headlines ranging from the somewhat accurate:

Manual Phishing Gmail Attacks Found To Be Very Effective - Top Tech News, Nov 9, 2014

Phishing scams work 45% of the times: Google study - Times of India, Nov 10, 2014

Have You Been Scammed? Phishing Emails Successful 45% of the Time - Crave Online, Nov 11, 2014

A scary number of you are still falling for phishing scams, says Google - Nov 10, 2014

What did Google and UCSD Actual Say about Phishing?

First, the 45% quote. For the 100 Google/Gmail phishing sites that the researchers studied, they found that depending on the structure of the page, as few as 3% of the visitors filled out the phishing form and submitted their data. Overall 13% of the visitors to the webforms shared their personal data with the phishers, while in the most extreme example, 45% of the visitors to the phishing web page completed the form and submitted their personal data.

There were several interesting findings in the study. A few that I found interesting included:

35% of phishing sites target victims' email

21% of phishing sites target banking credentials

A growing number of phishing sites are targeting App Stores and Social networking credentials

Account takeovers are primarily Fast and Foreign:

20% of compromised Google accounts were logged into within 30 minutes

The top countries of origin for hijackers were China, Ivory Coast, Malaysia, Nigeria, and South Africa

The easiest way to have your account restored is to have registered an SMS telephone number for out of band contact.

Manual Hijacking

The focus of this study was the process of Manually Hijacking accounts belonging to Google users. Because of that focus, it is not clear how broadly the observed behaviors can or should be projected onto other types of phishing. At Malcovery Security we observe 600 to 800 newly created phishing sites per day. This study focused primarily on Gmail/Google phish from January 2014, and for part of the study focused specifically on 100 Gmail phishing websites.

Google provided some statistics on how widely the problem of manual hijacking has been seen in the past. Over calendar 2012-2013, Google's security teams found that approximately 9 manual hijacking cases per day per million active users occurred. With over 500 million subscribers, Google is dealing with thousands of such account hijacks per day.

With Google participating in the research, researchers were able to determine that when an account is taken over, the criminals login to the account and search the email history and address books to determine how best to monetize the account. It seems that every week someone will make the comment in my presence "Yes, I have malware on my computer, but the worst that might happen is they get my email password!" But think about what is possible with that? How would you reset your password at your Bank? Amazon.com? eBay? On most of those sites, clicking "I Forgot My Password" results in an email being sent with a "Reset My Password" link! If the criminal finds an email from your bank in your email history, they now know exactly which bank to visit to click the "I Forgot My Password!" The email account is the key to the entire balance of your account!

The researchers also found that the scam we first wrote about in 2009 in the post Traveler Scams: Email Phishers Newest Scam is still quite prevalent. In this scam, because the criminal has access to your recent sent emails and address book, they are able to contact your friends and family with news of a tragedy while traveling where they desperately need money wired overseas to help them through the crisis. I've met many individuals who have wired money to their friends before realizing it was a scam! They often have stories of how they KNEW the email was truly from their friend, because when they asked questions, their friend replied with details only the friend would know. Often these details made use of prior "private" conversations in the phishing victim's email sent items box!

Popular Email Phish from Malcovery's ThreatHQ System

In the past seven days, Malcovery Security confirmed 416 distinct phishing URLs related to Google and their properties. These URLs were hosted on 207 distinct domain names on 174 different IP addresses. By country, the United States is the most prominent host of phishing sites, not just for Google, but for nearly every brand that does business in the USA. Of those 174 IP addresses, 90 are in the United States.

Google phish locations: November 5-12, 2014

90

United States of America

8

Great Britain

7

Turkey

6

Australia

5

Canada

5

Chile

5

Germany

4

Indonesia

4

India

4

Italy

4

Netherlands

4

Romania

4

Russia

4

Singapore

4

Spain

3

France

3

Thailand

2

Brazil

2

Hong Kong

2

South Africa

1

Japan

1

Korea

1

Mauritius

1

Ukraine

This popular phish appeared on the domains bloo8.net, iyfcolombia.org, beingmedicalep.com, lifeofease.us, microcenterengineering.com, manosartesanasdelaregion.com, ouzophilippos.com, acount-verification.com and many ohters.

Although this phishing site is PRIMARILY imitating DropBox, it still steals Gmail and other email credentials:

The domain hosting this phish was "t-online.de".

This version brings in many cable-provider logos for email address choices, rather than relying on "Other Email" as some of the others do:

This version brings the logos of many Chinese language email providers into the mix:

One of the earlier forms of the phish:

These just a few examples of the "look and feel" of some of the 400+ Google-related phishing URLs we've seen in the past seven days at Malcovery security. Most of them were seen many times each!

Last week we shared a blog post about phone scams claiming to have a Warrant For Your Arrest. After sharing some information about that scam, we've been receiving student-generated tips from several of our students about similar phone scams.

US Federal Grant Scam

The scam begins with a phone call, in our case coming from callerid 305.356.9999, claiming that we have been selected to receive a Grant from the Federal Government because of our participation in a survey. Of all the people who have taken this IRS Survey, 1700 people have been selected to receive this grant. The caller then instructs us that we should go to a Western Union location near us and we should call them back once we are at the Western Union for instructions on how to receive our $9,500 grant.

The callback number was (516) 554-0006, which seems to be a New York number in Garden City.

So, we waited a bit and called the criminals back from the Western Union store in my office. (grin).

When we called the 516 number, the line was answered "US Federal Grants" and we were asked for the code that we had been given during the first call. I tried providing a slightly wrong code, and learned that they actually are tracking the codes, because she was unable to look up our information. We provided the correct code and learned that it was "very important that we don't go into the Western Union Store yet!"
She then asked me if we were near a grocery store, such as a Seven-11? I told her I had a Publix store nearby but she said that wouldn't work. After some back and forth, we learned that a CVS Pharmacy would work for her needs. She instructed me that I needed me to go to the CVS and buy a GreenDot MoneyPak card for $200.

"You need to put $200 on the card to activate the Money Transfer Control Number, but you will get the $200 back, it will be reimbursed with your grant.

Now, simply let me tell you, you are not going to pay the money to me or to my department. This is your money and it is going to be reimbursed back to you. Before we can transfer the money you have to make a registration with the Federal Reserve Bank and once you make the registration then with the help of the Federal Reserve Bank registration number, I will generate the Money Transfer Control Number so that you can receive your money from the Western Union Store."

Here's the audio clip of that part . . .

(audio)How it works - the woman at US Federal Grants, who sometimes claimed this grant was from the IRS, tells us we need to pay a $200 registration fee.

She then "transferred us" to the Federal Reserve Bank as you can hear with this link.

Kevin was good enough to explain the whole process of how to purchase a GreenDot MoneyPak card for $200 so that I could "within 5 minutes" pick up my $10,000 - (the $9800 grant + $200 reimbursement for my registration) - from the Western Union Counter. Here's the audio of him explaining it to us:

What To Do if you are a US Federal Grant Scam victim

Although the form has many questions that you may not be able to answer, complete the form to the best of your ability with the information you DO know. Specifically make sure to note things such as:

What name did the person use?

Did they call you by name?

What agency, department, or company did they claim to be with?

How much money did they want you to pay?

What number(s) shows up in your callerid?

Did they give you any other numbers to call or websites to visit?

Even if you do not have ALL of this information, any information you share can help link cases together. If someone calling Houston and someone calling Birmingham both told you to call the same phone number, that is a "link". If they used the same Officer Name, that is another "link". The more individual cases we can link together, the better chance we have of catching the criminals!

IF YOUR SCAM MENTIONS THE IRS, be sure to report the crime to the investigators at the Department of Treasury who have set up a special website for gathering information about this scam:

Monday, November 10, 2014

One of the best emails that an employee can get from their employer is the one that tells you that you have been awarded a raise! In certain industries, such as academia, this type of email is quite rare, so you can imagine what welcome news it would be!

University Salary Phish Example

Phishers have been attacking universities across the country with emails that look like this one (Example email from University of Chicago):

The University is having a salary increase program this year with an average of 2.5%.
The Human Resources department evaluated you for a raise on your next paycheck.
Click below to confirm and access your salary revision documents:

Friday, November 07, 2014

Yesterday the scammers tried to hit the wrong victim! Neera Desai works for us at Malcovery Security as a Threat Intelligence Analyst on the malware team. She had received a voicemail on her phone while she was in one of her UAB Computer Science classes and knew that this could be a clue towards something big. She played it for me, and we provided a copy to law enforcement.

The recording is available here as a m4a file (QuickTime will play it):

This message is for (student name). Hi this is officer Steven Jones and I'm calling you from Jefferson County. The reason of my call is to inform you that we have received a legal complaint against you
on ??? identity. So if you want to be on the safer side and not get arrested contact on 646 759 4934
I repeat (646) 759-4934. If you disregard this message you alone are responsible for the legal actions
that are taken against you. Thank you and have a great day!

Later the same day HER ROOMMATE had the same scam against her, only she happened to be at a place where she could answer the phone! Her call was from "Officer Austin Reed" instead of "Officer Steven Jones".

When we started digging into this scam we realized that this is an EXTREMELY POPULAR scam! We shared the information with the North Alabama Identity Theft Task Force, the Internet Crime & Complaint Center (IC3.gov) and the National Cyber Forensics Training Alliance (NCFTA) and have learned quite a bit more about the scope and range of this attack.

The Scam Structure

There are three parts to the "signature" of this attack:

The victim receives a telephone call with a spoofed callerid to make it appear to be from either the IRS (they often spoof the "1040 hotline"), a law enforcement agency geographically proximal to the potential victim's location, or 911, the emergency contact number used in the United States.

The victim will be told that they have committed a crime, which may include running a red light and being caught by a traffic camera, failing to appear for Jury Duty, failing to pay your taxes or failing to pay them on time, or, if an international person, having a problem with immigration paperwork.

The victim will be instructed to send a payment immediately, with amounts ranging from $500 to $2,500, and threatened with immediate arrest if they fail to comply.

Recent Alabama Phone Scams

There does seem to be "locality waves" to this attack, where certain geographies will be heavily targeted, and then the attack will move on to another locality. As an example, in my area, dialing code (205), central Alabama, we have had several organizations do warnings about this type of attack, including:

What to Do?

There are TENS OF THOUSANDS of scam victims of this type all over the country. But without your clues, law enforcement doesn't know if this is one large organized crime group, ten groups, twenty groups, or a thousand individual con men acting alone. It is EXTREMELY IMPORTANT that you add your clues to the investigation.

The Best Place to report any type of online scam is the FBI's Internet Crime & Complaint Center. To go directly to their complaint page, use this link:

Although the form has many questions that you may not be able to answer, complete the form to the best of your ability with the information you DO know. Specifically make sure to note things such as:

What name did the person use?

Did they call you by name?

What agency, department, or company did they claim to be with?

What did they accuse you of?

How much money did they want you to pay?

What number shows up in your callerid?

Did they give you any other numbers to call or websites to visit?

Even if you do not have ALL of this information, any information you share can help link cases together. If someone calling Houston and someone calling Birmingham both told you to call the same phone number, that is a "link". If they used the same Officer Name, that is another "link". The more individual cases we can link together, the better chance we have of catching the criminals!

IF YOU HAVE THE IRS VERSION of the case, be sure to report the crime to the investigators at the Department of Treasury who have set up a special website for gathering information about this scam: